use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class AsymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
try {
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
assertTokenWrapper(initiatorWrapper);
boolean attached = false;
if (initiatorWrapper != null) {
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
} else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
} else if (initiatorToken instanceof SamlToken && isRequestor()) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
storeAssertionAsSecurityToken(assertionWrapper);
}
} else if (initiatorToken instanceof SamlToken) {
String tokenId = getSAMLToken();
if (tokenId == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
}
}
assertToken(initiatorToken);
}
// Add timestamp
List<WSEncryptionPart> sigs = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
addSupportingTokens(sigs);
sigs.addAll(this.getSignedParts(null));
if (isRequestor() && initiatorWrapper != null) {
doSignature(initiatorWrapper, sigs, attached);
doEndorse();
} else if (!isRequestor()) {
// confirm sig
addSignatureConfirmation(sigs);
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigs, attached);
}
}
List<WSEncryptionPart> enc = getEncryptedParts();
// Check for signature protection
if (abinding.isEncryptSignature()) {
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
enc.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
// Do encryption
AbstractTokenWrapper encToken;
if (isRequestor()) {
enc.addAll(encryptedTokensList);
encToken = abinding.getRecipientEncryptionToken();
if (encToken == null) {
encToken = abinding.getRecipientToken();
}
} else {
encToken = abinding.getInitiatorEncryptionToken();
if (encToken == null) {
encToken = abinding.getInitiatorToken();
}
}
if (encToken != null) {
if (encToken.getToken() != null && !enc.isEmpty()) {
final WSSecBase encr;
if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
encr = doEncryptionDerived(encToken, enc);
} else {
String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
SecretKey symmetricKey = keyGen.generateKey();
encr = doEncryption(encToken, enc, false, symmetricKey);
}
encr.clean();
}
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class AbstractCommonBindingHandler method assertToken.
protected void assertToken(AbstractToken token) {
if (token == null) {
return;
}
assertPolicy(token.getName());
String namespace = token.getName().getNamespaceURI();
if (token.getDerivedKeys() != null) {
assertPolicy(new QName(namespace, token.getDerivedKeys().name()));
}
if (token instanceof X509Token) {
X509Token x509Token = (X509Token) token;
assertX509Token(x509Token);
} else if (token instanceof HttpsToken) {
HttpsToken httpsToken = (HttpsToken) token;
if (httpsToken.getAuthenticationType() != null) {
assertPolicy(new QName(namespace, httpsToken.getAuthenticationType().name()));
}
} else if (token instanceof KeyValueToken) {
KeyValueToken keyValueToken = (KeyValueToken) token;
if (keyValueToken.isRsaKeyValue()) {
assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
}
} else if (token instanceof UsernameToken) {
UsernameToken usernameToken = (UsernameToken) token;
assertUsernameToken(usernameToken);
} else if (token instanceof SecureConversationToken) {
SecureConversationToken scToken = (SecureConversationToken) token;
assertSecureConversationToken(scToken);
} else if (token instanceof SecurityContextToken) {
SecurityContextToken scToken = (SecurityContextToken) token;
assertSecurityContextToken(scToken);
} else if (token instanceof SpnegoContextToken) {
SpnegoContextToken scToken = (SpnegoContextToken) token;
assertSpnegoContextToken(scToken);
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
assertIssuedToken(issuedToken);
} else if (token instanceof KerberosToken) {
KerberosToken kerberosToken = (KerberosToken) token;
assertKerberosToken(kerberosToken);
} else if (token instanceof SamlToken) {
SamlToken samlToken = (SamlToken) token;
assertSamlToken(samlToken);
}
}
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SamlTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(samlToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(samlToken, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
continue;
}
if (parameters.getSamlResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
String valSAMLSubjectConf = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, parameters.getMessage());
boolean validateSAMLSubjectConf = true;
if (valSAMLSubjectConf != null) {
validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
}
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : parameters.getSamlResults()) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
if (validateSAMLSubjectConf) {
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (parameters.getSoapBody() == null || !DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
}
*/
}
}
}
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SignedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed supporting token requirement");
continue;
}
}
}
}
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class EndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Aggregations